Proofpoint, Inc. to Acquire Armorize Technologies, Inc.

To our Customers, Partners, and Friends,

Today we light the firecrackers at Armorize!

We're extremely excited to let you know that Armorize Technologies Inc. will become a part of Proofpoint Inc.! The acquisition has been approved by the Proofpoint Board of Directors and by the requisite Armorize shareholders and is expected to close in the third quarter of 2013. We owe this incredible success to our current team and to our many friends who've supported us along the way. Thank you everyone!

For me personally, the past few years have been the happiest time of my life. At Armorize I get to work with a great team, and I really appreciate the chemistry, the friendship, and the sense of mission; we're like a family and I constantly felt we were making progress, innovating, overcoming challenges, learning, improving, helping each other, helping our users, and making impossible happen. It's an incredible feeling, indescribably great, utterly satisfying, and highly addictive. It was worth every minute of the hard work! Money can't buy this and I am grateful for the amazing experience and memories. I feel very lucky.

Proofpoint is a worldwide leader in email security and it's incredible to see their progress as highlighted by Gartner's report: Magic Quadrant for Secure Email Gateways 2013.

An important reason for Proofpoint to stand out as a clear leader in Gartner's 2013 report, is its new Targeted Attack Protection (TAP) offering, which leverages Armorize's advanced malware scanning platform. Email is the primary attack vector in Advanced Persistent Threats (APT), and is often used as means to deliver malicious URLs and documents to victims.

An interesting question is: even if a victim was lured into opening a malicious URL or document, why would he or she get infected? How did the attack bypass the antivirus solutions, the UTMs, and the email security gateways? To dig into this, let's reflect back on how the antivirus industry all started: most antivirus started out aiming at detecting viruses on the PC. The keyword here isn't "virus;" it's "PC." The PC has always had very limited computation power and therefore, all along the way, antivirus' goal has been to "detect as much as possible" under constrained resources. After all, who'd like to use antivirus products that consume half of our PC's resources, and reduce our notebook's battery life by half?

This concept rooted even deeper into the antivirus industry as the Internet boomed and antivirus vendors started to integrate with all sorts of network devices – firewalls, gateways, email servers, IDS, etc. These were great new markets for the antivirus vendors, but because speed is critical and computation power is limited to what's available on an appliance, antivirus went further down the road of signature-based pattern matching.

In today's world where mature cloud technologies are readily available, an important question we ask ourselves is:

Can we scale up our detection rate proportionate to our available computation power? For antivirus, the answer is NO. Since antivirus detection rate quickly plateaus as we add resources, it is hard for antivirus to benefit from today's cloud advancements. Don't get me wrong, antivirus can still leverage the cloud to scale up their detection "volume" and "speed," but when it comes to increasing the detection rate, not really.

Aimed at detecting next generation threats, Armorize set its goal to build a detection platform whose detection rate scales up in proportion to the computation power. This allows us to leverage recent cloud advancements and increase our detection rate as cloud technologies improve.

If we look at sandboxing, which we use heavily, well, sandboxing isn't really "new." Sandboxing was a hot security technology in the early 2000, but it didn't pick up as well as expected. The reason? The concept was innovative at the time, but the mindset was not so. Vendors were trying to offer sandboxing as better antivirus products – meaning, designing sandboxing products to run on PCs and notebooks.

It wasn't a great fit at the time, again, due to the PC's limited resources. Using dedicated hardware for sandboxing is a better approach, but it still doesn't leverage modern cloud advancements.

Today at Armorize, we've successfully built a platform that combines sandbox-based attack detection with cloud-based technologies. The boost in detection rate was phenomenal. Scaling up the detection rate has become practical. This is what Proofpoint is using for their TAP (Targeted Attack Protection), and this has contributed greatly to their improved status in Gartner 2013's Magic Quadrant as a clear leader in email security.

Our new platform is focused on detecting "next generation attacks," and it doesn't just include APT. For example, an important APT requirement is to focus the attack scope. To reduce exposure and prolong attack lifespan, APT attacks limit the delivery scope and focus only on desired targets. This coincides with the requirements of the online advertising industry--targeted, selected delivery scope, differentiating bots (ex: crawlers) against humans, and so on.

For online advertisers, each click or impression costs money and therefore, it is critical for the ecosystem to be extremely accurate at differentiating between bots and humans. Serving ads to bots results in wasted advertising dollars due to the fact that there is no hope of converting a bot to a customer. For APT attackers, serving exploits to these bots runs the risk of exposing attack campaign, and so they must also be very good at differentiating visitors and at targeting content.

Because these requirements coincide, attackers have been leveraging the online advertising ecosystem to spread malware, resulting in a new type of hard-to-detect threat. We call this "malvertising," which in our view makes up another type of next generation threat.

For Armorize, the acquisition presents a Launchpad from which we plan to soar to new heights. In recnet years we've been quiet on our blog, because we've been very busy building our new platform. We've even created our own static+dynamic analysis engine that goes together with our own threat description language we call Vicara. As per the Chinese idiom, "Like adding wings to a tiger," Proofpoint's comprehensive email security platform, combined with Armorize's new cloud-based next generation defense platform, is going to change the way people consider email security. At the same time, armed with Proofpoint's resources, we'll be quickly improving all products under HackAlert Suite, including HackAlert Website Monitoring, HackAlert SafeImpression, HackAlert Vulnerability Assessment, and HackAlert CodeSecure.

Powered with Proofpoint's extensive experience in cloud computing, HackAlert Suite is going to incorporate innovations at a much faster rate. Coupled with Proofpoint's sales and customer support resources, HackAlert Suite will be able to help a much wider spectrum of businesses in their fight against next generation threats.

Starting out eight years ago, Armorize has grown solidly, step by step. We are so very excited about the future, and to have the opportunity to make a much greater impact in helping businesses protect their investments, customers, employees and Intellectual Property, allowing them to focus on their own core competencies and generate further value for all of their stakeholders.

We'd like to express our sincere gratitude to all the friends we've made along the way. It is because of your help that we have made it this far and we will always be grateful and cherish the memories. Moving forward, please give us and Proofpoint your continued support as we strive to deliver the world's most advanced defense platform against next generation threats. Thank you!

Wayne Huang
Aug 8, 2013

Read more (rest of article)...

Armorize launched new service at RSA 2013: HackAlert Scanning and Forensics Extraction API for Malware, Malvertising, 0-day and APT Attacks

We've just completed our participation at the RSA Conference in San Francisco--our 7th year as exhibitor! We hope to give an update here of what's been happening at Armorize. It’s been 16 month since we've blogged. We've been too busy--there are many new partners and customers to support, many new threats to analyze, and many new technologies to develop--and this all makes spending time on the blog seem an unjustifiable luxury. We hope to resume blogging in a couple of months, but meanwhile, this blog post will serve as an update of what we've been working on in the past 16 months. In summary, we've been busy with:

  1. Expanding our engineering and operations team, and arranging for for their advanced training and certification.
  2. Developing and finalizing the HackAlert V5 API, and working on the HackAlert V6 API, which is to be released in 3Q of this year.
  3. Expanding HackAlert V5 API to incorporate support for APT (advanced persistent threat) detection and AFRM- (Armorize Fornsics and Reporting Methodology) based reporting.
  4. Developing and finalizing CodeSecure V5, and planning for CodeSecure V6.
Regarding 1), R&D expansion:

We've been expanding our engineering team and would like to congratulate the 35 colleagues who's recently passed their EC-Council Certified Ethical Hacker's certification: Adam Wei (ECC974360), Ain Chang (ECC974345), Alex Ruan (ECC974342), Allan Ku (ECC971799), Angus Wei (ECC974359), Aryan Chen (ECC974344), Carol Ru (ECC974341), Cyndi Wei (ECC974340), Eddie Chou (ECC974362), Eric Liu (ECC971746), Fred Tai (ECC971717), Hsuan Wang (ECC974346), Hyman Pan (ECC971733), Jasmine Chen (ECC974343), Jason Yang (ECC971702), Jeff Lee (ECC971815), Jimmy Huang (ECC974354), Joe Chang (ECC974361), Jordan Forssman, Lance Chang (ECC971730), In-Yee Lee (ECC971736), Mars Fu (ECC971756), Martin Chen (ECC971707), Matt Huang (ECC974356), Max Hsu (ECC974353), Michelle Juan (ECC974363), Paul Chen (ECC974358), Robin Huang (ECC971724), Roger Wang (ECC971813), Susan Chiu (ECC974347), Tom Kao (ECC971805), Van Cheng (ECC974357), Wayne Huang (ECC971814), and Wilson Chiou (ECC971812).

Continuous technical training is critical for us, and we've found training coupled with certification makes an effective combination. Next target will be CISSP and ECSP.

Regarding (2), the HackAlert V5 API:

The V3 API was first released in 2009 and is now both mature and robust. Based upon our experience operating the V3 service, we developed several generations of the HackAlert API, leveraging various new big data technologies. We released the HackAlert V4 API in 2010, which focused at providing our malvertising scanning platform. This time at RSA 2013, we released the HackAlert V5 API. Developed completely from the ground up around the latest methodologies for scalability, V5 is extremely scalable and fault tolerant, capable of handling a partner as big as Google. It also comes with an entirely new generation of malware and malvertising detection engines built from scratch starting in late 2011. This provides improved detection accuracy and coverage, as well as very detailed incident traceback reporting that precisely describes an incident’s origin, the areas of impact, and the final attack point. V3 and V4 servers, and consequently their API, are approaching their end of product life cycle. Starting from Nov 1st, 2012, new partners will not be offered an option to use either V3 or V4. We are working with existing partners now to help them migrate to HackAlert V5.

Regarding (3), APT and AFRM-based reports:

AFRM-based reporting is an important new feature of the HackAlert V5 API. For every scan you submit to the HackAlert service (ex: online ad, URL, malware, document exploit), you will get a detailed, aggregated forensics report, laid out according to the Armorize Forensics Reporting Methodology (AFRM). AFRM enables you to easily comprehend the returned forensics data, and to use it for your own further analysis. AFRM reports include:
  1. Scene details (eg., URL, ad tag, PDF document).
  2. Aggregated interpretations (eg., “malicious”, “blacklisted”).
  3. Aggregated proofs (eg., “drive-by download”, “registry modification”, “process injection”). Proofs provide support for interpretations.
  4. Aggregated exhibits (eg., code snippet of shellcode, code snippet of exploit code, code snippet of HTTP responses, parameters of API calls, sections of binary files). Exhibits are sections of evidences that provide support for proofs.
  5. Aggregated evidences (eg., HTTP response, API calls, binary files).
  6. Evidence correlations (eg., Javascript 1 (Exhibit A) --> document.write (Exhibit B) --> Javascript 2 (Exhibit C) --> Load iframe 3 (Exhibit D)).
You will know exactly what a target is made up of, what it tries to do, where the attack is coming from, and the causality relationships between the collected evidences.

Exploit-Based Malware Infections

To explain AFRM, we first take a look at the exploit-based malware infection (EBMI) process, which is a widely used attack vector in Advanced Persistent Threats (APT). In EBMI, the victim is infected via opening a malicious document, often referred to as a document exploit. Common document exploit formats used in EBMI include Web pages, PDF files, Word files, Powerpoint files, Excel files, and Flash files embedded inside one of the previous types.

Phase 1: Exploit delivery and shellcode execution

During EBMI phase 1, the victim opens a document via a (document) renderer–defined as a software program that displays the document. Common (document, renderer) pairs include: (Web page, Web browser), (Web page containing flash, Web browser with flash support or plug-in), (Web page containing Java applets, Web browser with applet support / JRE), (PDF document, PDF reader), (Word document, MS Word), (Excel document, MS Excel), (Powerpoint document, MS Powerpoint), etc.

The document here, being malicious, is referred to as a document exploit. It contains mechanisms to exploit vulnerabilities either directly inside the renderer itself, or inside one of the renderer’s installed plug-ins (eg., Flash, Java applet, Real player, etc). If the exploited vulnerability is unknown to the renderer provider (vendor), then it is called a 0-day exploit.

This exploitation code (the exploit) is often implemented using scripting languages (eg., Javascript, Actionscript, VBScript, VBA) Two key factors make scripting languages extremely useful for this purpose: a) they provide the functionality needed to exploit the targeted vulnerability and b) being interpreted languages, it is very easy to obfuscate the exploitation code, thus making detection difficult.

Common (renderer, scripting language) pairs include (Web browsers, Javascript), (Flash, Actionscript), (PDF, JScript), (Office documents, VBA macros). Note that Javascript, Actionscript, and JScript are all ECMA-based scripting languages.

The following attacks leverage an EBMI process: a) drive-by download attacks, b) malvertising attacks, c) URL-based email attacks, and d) attachment-based email attacks. In (a) (b) and (c), the browser ultimately loads a Web page served by an exploit pack, which serves polymorphic Web-page exploits. The server that hosts the exploit pack is called the exploit server, and the involved URLs are called the exploit URLs.

Phase 2: Malware execution

When a document exploit is opened and upon successful exploitation, a dropper is often created on disk and executed. The dropper can either be the actual malware, or it can be just a tiny executable whose sole job is to download the actual malware over Internet.

In order to permanently infect the compromised system, the malware will often a) move itself to permanent disk locations and b) modify system configuration (eg., registry settings) so as to be auto executed upon every system startup. In order to hide itself from security checkers and users, the malware will often a) rename itself to seemingly legitimate filenames or b) arrange for alternative, less detectable and higher-privileged methods of execution, for example, using process injection.

Once permanently installed, the malware will typically start to a) connect back home to the command-and-control (CNC) server, or to b) send the collected information back to the attacker.

Using the HackAlert V5 API, you will not only be able to detect EBMI, but also receive detailed forensics reports on exactly what had happened during the two EBMI phases.

Regarding (4), CodeSecure V5

CodeSecure V5 offers better performance, accuracy, and language support over CodeSecure V4. Last year, I manged to convince six of my university classmates and roommates to quit their excellent jobs and join Armorize. Among them, Martin Chen now oversees CodeSecure's development. He's written an entirely separate blog and we'll be putting it up very soon.

Read more (rest of article)...

Malvertising on KickAssTorrents ( , OpenX compromised to serve fake anti-virus "Security Sphere 2012"

(Credits: Wayne Huang, Chris Hsiao, NightCola Lin)

Yesterday our HackAlert website malware monitoring service told us that KickAssTorrents (, ranked 321 globally on Alexa with more than 1.5 million unique visitors per month, is serving malware to all of its visitors via malvertising. Below is a video showing how visitors are infected:

Coincidentally, KickAss Torrents published a blog post on Oct 10th in response to the website being flagged by antivirus vendor Avast. In it they said:
Our users that are using the Avast anti-virus might have noticed that suddenly became labeled as a dangerous website for users that are not logged in. We want to assure our users that KickassTorrents has no malware or viruses of any kind and it is absolutely safe to use our website. We already contacted Avast and currently we are trying to find and fix the cause of this problem. You will help us if you choose the "Report the file as a false positive" option if you get the alert.

In another thread, KickAss Torrents said:

Now what the hell does this error mean?
First of all, don't flip out, don't go post on the KAT site, post down here if you experience the same problem.
Secondly, report down here if you experience this error.
Thirdly, add to the safe URLs in your AV.
And lastly, please go to this site and report the problem (Avast! users only):
Avast! forum thread
Back on topic. What is this error? Does error roughly means that your anti-virus software has found some bad code in an iFrame. This could be from the site itself, or from advertisements. An iFrame is a piece of code that allows you to do several things. Embedding something to your site is a good example.
I hope this topic helps a little and I certainly hope the error is going to be fixed now.
A: Nope, just some error.
Q: Is it really safe to visit KAT?
A: Yes, it is.

KickAss Torrents also referred to this discussion thread on Avast's forum. At the end of the forum it appears that Avast has acknowledged that it was indeed a false positive and have addressed the issue:


It should be solved, if not let us know please.

Miroslav Jenšík
AVAST Software a.s.

Well, that time it might have been a false positive from Avast, but this time the website is absolutely infecting its visitors, as seen in our video.


Here we summarize characteristics worth noting:

1. High traffic website compromised.
2. Malvertising via compromising KickAssTorrents' OpenX platform.
3. Spreading fake antivirus "Security Sphere 2012" by conducting a drive-by download process. Simply navigating to the website with an outdated browsing platform will result in infection. No clicks necessary (see video).
4. Same attackers responsible for the recent incident.
5. Using DynDNS domains for their exploit server.
6. Domain names are auto-calculated using Javascript. The algorithm used generates a (predicable) different domain name every hour, in the format of, where ABCD are characters with a fixed seed and incremented by one character every different UTC hour.
7. The new dyndns domain for the next hour is generated every hour precisely at minutes 2 to 5, so this may be done by an automated mechanism.
8. Initial antivirus detection rates are very low, from 0 to 2 vendors out of 43 on VirusTotal.
9. All generated domains resolve to a single IP: (AS21788, United States Scranton Network Operations Center Inc), located in the US.
10. The domain: resolves to this IP and is serving the same exploit pack. This domain was registered on Aug 4th through an Russian registrar, 1'ST DOMAIN NAME SERVICE At this time the domain resolved to an Netherlands IP The domain started to resolve to on Aug 23rd. This IP and the domain are both currently still up and working.


KickAssTorrents serves its ads via its OpenX installation at This platform has been compromised and made to serve browser exploits. In our video, this URL:§ion=1939940

was injected with malicious javascript. In the following code snippet, the highlighted sections are the injected part. Note the code isn't just a few lines of "injection"--the code is merged with the original OpenX html code:

The following is the important parts of the decoded version:

From line 29-41, we can see that the function spelled() generates four characters based on the current hour in UTC. From line 18 we can see how this function is called: var gyrally = spelled(String("robo"), new String(".dynd" + "ns.tvmg7j".substr(0, 5)));

Antivirus detection of the dropped and installed malicious binary was 2 out of 42 vendors on VirusTotal.

And finally, here's a screenshot of the installed fake antivirus Security Sphere 2012:

Read more (rest of article)... mass infection ongoing

(Credit: Wayne Huang, Chris Hsiao, NightCola Lin)
Starting Oct 9th, we've been tracing an mass injection attempt. Currently, there's been 180,000 affected pages, according to Google.

The attack targets visitors of six particular languages--English, German, French, Italian, Polish, and Breton, seen from the following deobfuscated script:

Here is a text version of the above decoded script.

The scripts causes the visiting browser to load an iframe first from and then from Multiple browser-based drive-by download exploits are served depending on the visiting browser.

In a drive-by download attack, visitors who navigate to the infected websites will be installed with malware on their machines without their knowledge. This is if they have outdated browsing platforms (browser or Adobe PDF or Adobe Flash or Java etc).

This wave of mass injection incident is targeting ASP ASP.NET websites.

Currently, the 6 out of 43 antivirus vendors on VirusTotal can detect the dropped malware. resolves to IP (AS3999), which is in Russia. resolves to (AS36352), which is in the US and hosted by resolves to IP (AS33597), which is in the US and hosted by InfoRelayOnlineSystems.

The dropped malware attempts to connect to: (AS25653), which is in the US.


1. ASP and ASP.NET websites are injected with the following script (text is here):

2. Contents of urchin.js is as seen below; full text is here.

3. The above script decodes to the following:

Here is a text version of the above decoded script.

4. The above script generates an iframe to, which gives an HTTP 302 redirect to the exploit server at

Read more (rest of article)...

Malvertising lifecycle case study 1--OpenX compromise on, spreading Security Sphere 2012 fake antivirus

(Credits: Wayne Huang, Chris Hsiao, NightCola Lin)

Incident:, ranked 541 on Alexa with 8,141,777 unique visitors and 10,177,221 page views per month, fell victim to malvertising and was spreading the "Security Sphere 2012" fake antivirus to its visitors. By simply navigating to the website, visitors with outdated browsing environments (browser or browser plugins such as Java, Adobe Flash, Adobe PDF Reader, etc) will end up with Security Sphere permanently installed inside their systems.

Malware: By claiming that every application "has been infected by malware and cannot be executed," Security Sphere 2012 basically locks down the infected computer until the victim purchases a "license" for it to "clean up the infections."

Cause: runs its own online advertisement platform using OpenX, using the domain The attackers have compromised this OpenX platform and injected an malicious iframe into every ad served. We have a video of the how visitors are infected:

Malware Lifecycle: Initially, the detection rate on VirusTotal was 0 out of 43:

The malware detects common VMs (virtual machines) and will not execute inside a VM or sandbox. This helps it avoid detection.

Below is a timeline of the malware lifecycle. We missed to submit in some spots so the timeline isn't 100% accurate, but it gives a good idea:

2011-09-XX 00:00 UTC Initial injection into and other websites
(Anvirirus companies do not have this particular malware sample and therefore no one is detecting it)
(We don't know how long this period was)
2011-09-30 09:23 UTC 0 / 43, we first submitted the sample to VirusTotal. Because all 43 participating antivirus vendors are in partnership with VirusTotal, they should all have this sample once we've submitted it.

2011-09-30 11:00 UTC 2 / 43, Kaspersky, NOD32

2011-09-30 15:00 UTC 3 / 43, Dr. Web

2011-09-30 19:00 UTC 7 / 43, Comodo, Emsissoft, Microsoft, Panda

2011-09-30 23:00 UTC 9 / 43, AVG, Symantec

2011-10-01 03:00 UTC 14 / 43, BitDefender, F-Secure, GData, PCTools, SUPERAntiSpyware

2011-10-01 07:00 UTC 14 / 43,

2011-10-01 11:00 UTC 17 / 43, Avast, McAfee, VIPRE

2011-10-01 15:00 UTC 17 / 43,

2011-10-01 19:00 UTC 22 / 43, Ahn-Lab-V3, Ikarus, K7AntiVirus, McAfee-GW-Edition, Sophos

2011-10-01 23:00 UTC 22 / 43,

2011-10-02 03:00 UTC 22 / 43,

2011-10-02 07:00 UTC 22 / 43,

2011-10-02 11:00 UTC 22 / 43,

2011-10-02 15:00 UTC 22 / 43,

2011-10-02 19:00 UTC 22 / 43,

2011-10-02 23:00 UTC 22 / 43,

2011-10-03 03:00 UTC 22 / 43,

2011-10-03 07:00 UTC 22 / 43,

2011-10-03 11:00 UTC 30 / 43, AntiVir, Antiy-AVL, CAT-QuickHeal, Emsisoft, TheHacker, TrendMicro, TrendMicro-HouseCall, VirusBuster

2011-10-03 15:00 UTC 30 / 43,

2011-10-03 19:00 UTC 31 / 43, nProtect

2011-10-03 23:00 UTC 31 / 43,

2011-10-04 03:00 UTC 31 / 43,

2011-10-04 07:00 UTC 31/ 43,

2011-10-04 11:00 UTC 31 / 43,

2011-10-04 15:00 UTC 31 / 43,

2011-10-04 19:00 UTC 31 / 43,

2011-10-04 23:00 UTC 31 / 43,

2011-10-05 03:00 UTC 31 / 43,

2011-10-05 07:00 UTC 31 / 43,

2011-10-05 11:00 UTC 32 / 43, eTrust-Vet

2011-10-05 15:00 UTC 32 / 43,

2011-10-05 19:00 UTC 32 / 43,

2011-10-05 23:00 UTC 32 / 43,

2011-10-06 03:00 UTC 32 / 43,

2011-10-06 07:00 UTC 32 / 43,

2011-10-06 11:00 UTC 33 / 43, Fortinet

2011-10-06 15:00 UTC 33 / 43,

2011-10-06 19:00 UTC 33 / 43,

2011-10-06 23:00 UTC 33 / 43,

2011-10-07 03:00 UTC 33 / 43,

2011-10-07 07:00 UTC 33 / 43,

2011-10-07 11:00 UTC 33 / 43,

2011-10-07 15:00 UTC 33 / 43,

2011-10-07 19:00 UTC 33 / 43,

2011-10-07 23:00 UTC 33 / 43,

2011-10-08 03:00 UTC 33 / 43,

2011-10-08 07:00 UTC 33 / 43,

2011-10-08 11:00 UTC 33 / 43,

2011-10-08 15:00 UTC 33 / 43,

2011-10-08 19:00 UTC 33 / 43,

2011-10-08 23:00 UTC 33 / 43,

2011-10-09 03:00 UTC 33 / 43,

2011-10-09 07:00 UTC 33 / 43,

2011-10-09 11:00 UTC 33 / 43,

2011-10-09 15:00 UTC 33 / 43,

2011-10-09 19:00 UTC 34 / 43, JIangmin

2011-10-09 23:00 UTC 34 / 43,

Still undetecting: ByteHero, ClamAV, Commtouch, eSafe, F-Prot, Prevx, Rising, VBA32, ViRobot

Read more (rest of article)...

Mass WordPress infection ongoing--most malicious domains using

(credits: Wayne Huang, Chris Hsiao, NightCola Lin)
To peer researchers: As we all know, researching security incidents take a lot of time and sacrifice; as if they know exactly how to make our lives harder, attackers often launch right before the weekend or a long vacation. In such an event, we often need to sacrifice our personal plans to be with our families, in order to research and publish threats fast enough.

In the past, usually right after we publish our blog and tweet the link, some other security blogs will very quickly put out a post regarding the same incident. Usually there will be a link to our original post, and we appreciate this very much.

However, recently, for some of our posts, we feel our contents were plainly copied and there was no credit linking to us. We sincerely hope this won't happen.

Together as a security community, we have a common goal--to make the Internet a safer place for everyone. It's an honor to be a part of this community, and we have a lot of respect for everyone involved. We just don't like the feeling of being taken advantage of. Thanks very much everyone!

We've been tracking an ongoing mass WordPress infection that began to take place around Oct 5th, as detected by our HackAlert Website monitoring service. Many Wordpress sites have been hit. Using as an example, we've created a video showing how an affected WordPress site can infect its visitors.

1. Location of injected script: in the index page of the compromised website.
2. Means of compromise: we believe via a combination of a) stolen WordPress passwords b) backdoors into previously compromised WordPress websites and c) Automated script-injection tools that work in combination of either (a) or (b).
3. Injected script: In the [Details] section we've included an example of an injected script. There are more than 20 variations.
4. Script packer used: Dean Edwards' packer.
5. Malware: Multiple malware will be installed (dropped) onto the visitors machines without the users' knowledge. Antivirus detection rate is around 5 out of 43 vendors on VirusTotal at the time of this writing.
6. Infected websites: A lot of WordPress websites have been hit, a sample list is as follows:

7. Malicous domains: This time, instead of owning the malicious domains themselves, the attackers are using mostly the dynamic DNS service provided by A sample list is as follows:

8. Malicous domains: Although all of the above domains were resolving through, there are only a few IPs used so far, including the following:

1. (Primary IP, AS12695, Russian Federation Moscow Digital Networks Cjsc)
2. (AS25847, United States New York Smv)
3. (AS18229, India Hyderabad IP Pool For Znet)

9. Exploit pack: *NOT* BlackHole, still analyzing

10. Is your WordPress infected? A very simple way is to check for the existence of the following text: a) showthread b) 72241732 c) 72291731 and if these exist, have a closer look. You can also use the HackAlert Website monitoring service to have your site monitored 24x7.


The injection has a simple chain:

1. Index page of a WordPress site is injected with script packed by Dean Edwards' packer
2. Javascript generates iframe to a malicious domain registered with
3. Browser loads the exploit pack from the malicious domain, hosting on a few fixed IPs including (Russia), (USA), and (India).

Below is an example of an injected script:

Depending on the browsing platform used, several malicious binaries are dropped upon successful exploitation. At the time of this writing, the antivirus detection rate is 5 out of 43 vendors on VirusTotal:

Read more (rest of article)... hacked, infecting visitors with malware

(Credit: Wayne Huang, Chris Hsiao, NightCola Lin)
Our HackAlert 24x7 Website malware monitoring platform today indicated that has been hacked and is currently serving malware. The highlighted section of the above screenshot is the injected script. Below is a video showing how visitors are infected when navigating to the site:

[Infection Chain]

Step 1:

Causes the visiting browser to load the following:

Step 2:

This is the injection point. The entire content of the above .js file can be found here.

The injected section is shown in the above screenshot. The decoded version is as follows:
The text version is available here. This script generates an iframe to Step 3.

Step 3:

Throws out a 302 redirect to Step 4.

Step 4:

This domain hosts the BlackHole exploit pack. It exploits the visitor's browsing platform (the browser, the browser plugins like Adobe Flash, Adobe PDF, etc, Java, ...), and upon successful exploitation, permanently installs a piece of malware into the visitor's machine, without the visitor's knowledge. The visitor doesn't need to click or agree to anything; simply visiting with a vulnerable browsing platform will result in an infection.

Currently, 4 out of 44 vendors on VirusTotal can detect this piece of malware.

[The Attacker]

We don't know much at this point. The following are information regarding the associated malicious domains. (Step 3)
Location: Germany / Berlin
Created On:20-Jun-2011 13:17:05 UTC
Sponsoring Registrar:Transecute Solutions Pvt. Ltd. (R120-AFIN)
Registrant Street1:7880 SW 132 STREET
Registrant City:MIAMI
Registrant State/Province:Florida
Registrant Postal Code:33156
Registrant Country:US
Registrant Phone:+1.3053771635
Admin ID:TS_14483505
Admin Organization:N/A
Admin Street1:7880 SW 132 STREET
Admin Street2:
Admin Street3:
Admin City:MIAMI
Admin State/Province:Florida
Admin Postal Code:33156
Admin Country:US
Admin Phone:+1.3053771635
Admin Phone Ext.:
Admin FAX:
Admin FAX Ext.:
Name Server:NS1.SKYNS1.NET
Name Server:NS2.SKYNS1.NET (Step 4)
Location: Sweden / Stockholm

The website is as of now, still serving this exploit and malware.

We're in the process of contacting If anyone have contacts to them, please drop us an email at

PS: Armorize is hiring presales in the bay area:

Read more (rest of article)...